May 30, 2019

An internet-wide
scan has revealed almost one million devices vulnerable to BlueKeep, the
Windows vulnerability that has the security community on high alert this month.

BlueKeep is
better known as CVE-2019-0708, a vulnerability that Microsoft announced
in its May Patch Tuesday release that affects Windows Remote Desktop Services,
accessible via the RDP protocol. It allows for remote code execution and is
wormable, meaning that a compromised Windows machine could seek out and infect
other vulnerable devices with no human interaction. Worms can spread quickly
online, as we saw with the WannaCry ransomware exploit in 2017.

BlueKeep affects
Windows XP, Vista, and 7 machines, but not Windows 8 or 10 boxes. The older
versions make up around 35% of Windows installations, according
to Statcounter. The flaw also affects Windows Server 2003 and 2008.

Security
researcher Rob Graham ran a two-part scanning project to find out how many
machines were vulnerable to this worrying flaw. He began by scanning the entire
internet using the mass-scanning tool to find all devices responding on port
3389, the port most commonly used with RDP.

Then, he honed
the results by forking a
BlueKeep scanner project that ended up in the Metasploit pen testing tool
last week. His fork created rdpscan, a tool
designed to quickly iterate over a large set of addresses looking for Windows
boxes vulnerable to BlueKeep exploits.

It’s hard to know
whether to laugh or cry at a new column that Motherboard’s Vice started earlier
this month.

It’s called Scam
Academy. Pull up a chair, students: Scam Academy is where you come to read
about “schemes and cheats from within the high schools and colleges of
America.” The authors are not Vice journalists. No, the authors are the ones
who’ve cheated and accepted Vice’s invitation to share how they did it and why.

Presuming that
these stories are true confessionals and not just made up for the lulz, the most
recent column could have been titled “I made money hacking my teacher’s
computer to change grades. It wasn’t particularly legal, but it was fun.”

Actually, forget
about laughing or crying. Instead, if you’re anybody who works in education, be
it teaching or in school IT administration, you need to grab a notepad and jot
down what this anonymous kid had to say, because he or she described security
holes big enough to drive a school bus through.

You’ve all seen
the deepfake video of
a digital Barack Obama sock puppet controlled by Jordan Peele, but we bet you
haven’t seen an animated video of the Mona Lisa talking before. Well, thanks to
the magic of AI, now you can.

Deepfake AI
produces realistic videos of people doing and saying fictitious things. It’s
been used to create everything from fake celebrity porn through to creepy
video amalgams of Donald Trump and Nick Cage.

According to the
team at Samsung Research’s Moscow-based AI lab, the problem with existing
deepfakes is that the convolutional neural networks that they train on munch
through a huge amount of material. When it comes to deepfakes, that means
either lots of photos of the target, or several minutes of video footage.

That’s fine if
you’re mimicking a public figure, but it’s problematic if you don’t have that
much footage. The Samsung AI researchers came up with an alternative technique
that let them train a deepfake using as little as a single still image, in a
technique they call one-shot learning. The quality improves if they use more
images (few-shot learning), they say, adding that even eight frames can create
a marked improvement.

The technique
works by conducting the heavy training on a large set of videos depicting
different people. This technique, which the researchers call ‘meta-learning’ in
their paper, helps
identify key facial ‘landmarks’ which it can then use as anchors when creating
deepfake videos of new targets.

Three alleged
tech-support scammers have been charged with bilking the elderly out of at
least $1.3 million for tech support services they didn’t need and never got.

The US Attorney’s
Office for the Southern District of New York announced on Friday that the three had been
arrested the day before.

According to a complaint filed by FBI Special Agent Carie
Jeleniewski, the trio would allegedly cold-call their victims, running through
the standard tech support scammer’s ruse of claiming to be from one of the big
computer companies and warning the victims that their computer was infected
with a virus. This went on for years, starting at least in 2013 and continuing
on up until this month.

In fact, while
investigators were interviewing one of the defendants, Gurjet Singh, at his
home in Queens, New York, a carrier truck pulled up to deliver a check made
payable to NY IT Solutions Inc. – one of the companies the alleged fraudsters
set up to deposit money mailed in by their victims. According to the criminal
complaint, Singh had been in the midst of explaining to officers that he
collected checks and then wired the money to Gunjit Malhotra, from India.
Singh’s cut of the allegedly swindled funds: 8%.

The defendants
are Malhotra, 30, of Ghaziabad, India; Singh, 22, of Queens, New York, and Jas
Pal, 54, also of Queens. They’ve each been charged with one count of conspiracy
to commit mail fraud, which carries a maximum sentence of 20 years in prison.
They’ve each also been charged with one count of conspiracy to access a
protected computer in furtherance of fraud, which carries a maximum sentence of
five years in prison. Maximum sentences are rarely handed out.

Singh was also
charged with aggravated identity theft, which carries a mandatory minimum
prison sentence of two years in prison.

Remember the
Balboa Internet of Things (IoT) hot tub whose security was so dire it allowed researchers to remotely tweak
important settings via the internet?

A few months on
and the researchers behind that exposé, Pen Test Partners, have turned their attention to another incarnation of the same IoT
theme in the form of the ‘smart’ Bluetooth padlock made by a Chinese company Nokelock (not to be confused with the unrelated
company Noke).

While Nokelock
might not jump out as a household name, its smart padlocks feature prominently
on Amazon.com for around $40 (£30) – including one rated ‘Amazon’s Choice’ – as
well as under a range of other brand names.

Obviously, the
point of a traditional padlock is to stop anyone who doesn’t have a key from
unlocking it. In the case of the Nokelock, the function of the key is performed
by a fingerprint reader built into the shackle that is configured using a
smartphone app.

This convenience
means that lots of users can be enrolled to use it without having to hand out
keys that cost a lot to copy and might get lost.

Unfortunately,
says Pen Test Partners, the Nokelock and its API also come with some major
security flaws that prospective owners might like to know about before they
stump up their cash.

ACS

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC. We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.